Justin’s organization has recently undergone a third-party audit that determined that their data- handling processes don’t comply with the GDPR. Changes to become compliant will take almost a year due to existing systems and software. What risk management strategy is Justin’s organization choosing if they continue to operate knowing they are noncompliant?

Risk exception recognizes risk areas where an organization may not be in compliance with policies or regulations, and may be acknowledged because they cannot be addressed in a timely manner or are required for the organization to conduct business. Risk transfer options move the costs of risks to another organization such as through insurance. Risk avoidance involves preventing the risk from occurring. Mitigation works to limit the impact of a risk, such as by taking action to prevent further malware spread.